Spring MVC安全性permitAll / /但拒绝所有/ / **不起作用

Question

I have a Spring4 MVC application that is deployed on Wildfly10 and is configured using xml.

I have the following controller defined:

<mvc:view-controller path="/" view-name="/index" />
<mvc:view-controller path="/index" view-name="/index" />

And in Spring security define access:

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/index" access="permitAll" />
    ...
    <intercept-url pattern="/**" access="denyAll" />
    <form-login login-page="/login" default-target-url="/dashboard"
        always-use-default-target="true" authentication-failure-url="/loginfailed"
        authentication-failure-handler-ref="authenticationFailureHandler" />
    <logout logout-success-url="/index" />
    <access-denied-handler ref="customAccessDeniedHandler"/> 
</http>

If I remove the denyAll to /** intercept-url the application works as intended however adding it causes security to redirect root calls to the login page and not the index page!

Is there a way I can have permitAll access to the root (Redirects to /index) of my application and still denyAll to /** thus covering anything else that is not defined?

Answer 1

By Changing the pattern to <intercept-url pattern="/.+" access="denyAll" /> as commented by Vasan got it working. below is an example of the change

<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/.+" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
    always-use-default-target="true" authentication-failure-url="/loginfailed"
    authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>